Existing network security audit systems generally include mechanisms for real time intrusion detection and/or proactive vulnerability analysis and penetration testing. Real time intrusion detection systems often use packet sniffing capabilities and/or other network response tools to detect attacks on the network after they have occurred.
One drawback with existing real-time intrusion detection tools is that they take a defensive rather than an offensive approach to network security. These tools are generally not configured to audit the network for policy violations and/or vulnerabilities to protect the network before an attack occurs. Furthermore, real time intrusion detection information is generally of no or little value in determining the level of compliance with enterprise security policy and/or regulatory policy. Although real time intrusion detection systems make remediation attempts to mitigate the problem after an intrusion on the network is detected, such remediation attempts are generally initiated manually for the particular device on the network that is being attacked. As the devices on the network increase, however, manual remediation attempts become costly and inefficient for dealing with security attacks. Furthermore, real time detection systems provide little ability to accurately track the remediation attempts.
With respect to vulnerability analysis tools, one drawback in utilizing such tools is that they typically only search for known vulnerabilities. In this regard, consultants are often hired to conduct penetration-testing tasks using these tools in conjunction with the knowledge that they have accumulated over time in handling specific vulnerabilities. Furthermore, for networks of even just a few thousand nodes, the consultants typically can only review a small sampling of the network (typically only 5-10 percent). Information on the sampled nodes are then extrapolated to give some measure of vulnerability for the entire network. Such extrapolation, however, can often be extremely inaccurate. Furthermore, it is generally only the sampled assets that obtain remediation attention.
Accordingly, there is a need for a system and method to efficiently and systematically perform policy audits for protecting the security of a network before an attack occurs. There is also a need to automatically generate remediation tasks associated with the audits, and track their status to ensure that the tasks are being handled by the assigned persons.